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Background Jbo Ihe Jnveritbn 



1. Reld of the toveRSon 

The present Invention relates generally to firewalls for the protection of private networks 
of computecs and ODJiiputer CQnJjolledequlpnientJthatjare connected to^puhlicjietworks 
of computers. In partfeular the present }nventk)F> Is directed to ensuring private network 
security while remote users on apubJic aeJtwork uploajJ or download data to jiodes on 
the private network. The Invention Is designed to allow remote access to Individual 
computers and computer interfaced equipment on 3 private Jietwork without 
compromising security of the private network. 

2. Description of the Background 

The typical firewall Is designed to operate In an environment In which information 
passes between a remote user on a public network and a node on a private network. A 
node will typically be a computer or a piece of computer controlled equipment. The 
typical node divides the Information to be sent into packets of data and the typical 
network connection switches the packets to the correct node using the network 
identification code of the node. The network identiffcatlon code is usually the IP 
address. The route from remote user to target node can involve numerous links over 
numerous networks. Typical networks are described In "Step up to Networking" by J 
Woodcock and published by Microsoft Press. Network security Is discussed In 
"Mastering Networking Security by C Benton and published by Sybex. 

There are two methods of passing packets over networks using either a connectionless 
or a connection oriented communlcatton servtee. In a connectionless service, each 
packet is an independent unit that can take its own route to the target node. In a 
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connection orJenteri service, a rouie is chosen and maintained until all Ihejjackets in the 
entire message has been sent, although multiple paclcets travelling to multiple locations 
can share steps Jn their joutes- The process of passing packets lsacQ3mplishecli)y 
network protocols such as Ethernet which is a connection less protocol and 
Asynchronous Transfer Mode XATM) which is a connectiDn oriented pmtocoL These 
protocols are usually described in terms of a model consisting of layers that manage 
different parts of the communicatiojis process^ The 7 layers in the OSI modeJjare 
described in "'Step up to Networking" p 67. The layer 1 in the communication process Is 
the physicaj layer of electrical oj optical binary signals^ The layers is the data link layer 
that ensures reliat)le passing of packets from source to destination on a single step in 
the route. The layer 3 is the Network layer that routes the pactets over jnultlple steps 
to their final destination. 

The typical firewall is placed at the point of connection between the private network 
within a home or coqDoration and the public networic such as the Internet The functions 
of a typical firewall Include hkling details of the internal structure of the private network, 
preventing ijnauthorJzed entry, checking foj viruses hidden m emails or t)locksjDf 
downloaded data, and blocking damaging commands. Some firewalls provide an 
encryption barrier to enhans sKurlty of the private Jietwock. 
There are a number of limitations to typical firewalls. A remote user who finds a way 
past the firewall at the entry pomt to the private network has oompJete acress to the 
private network. People who find a way past the firewall with intent to do damage can 
be hackers, or disgruntied individuals with valid encryption teys. Onoe past the firewall, 
the only way to limit access within a private network is by separating the networic into 
sub networks separated by routers- Routers make decisions to pass the packets of data 
between computers based on the identification codes of both send and receive 
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computers. There are ways to deliberately disguise the identification code of the sender 
and bypass the routers security as discussed in "Mastering Networking Security". 

An additional limitation of typical firewalls arises from the difficulty of checking that all 
the incoming information to a large commercial network only contains acceptable 
commands and data. The difficulty in checking for acceptable content is mostly due to 
the unlimited number of programs that can be used to generate the information. 
Because the firewall cannot check that the Incoming Information is acceptable, the 
typical firewall attempts to check for damaging programs such as computer viruses. 
Checking for viruses Is a continuous problem because the Inventor of a new virus will 
typically be able to beat a trapping program designed for known viruses. 

The typical firewall has particular difficulty with respect to two trends in the Internet; 
entertainment and remote diagnostics. With the Internet as a source of entertainment, 
large amounts of video will be sent Into the private network In the home. This data will 
probably not be uniquely encrypted for each user, and will be very difficult to check for 
viruses because of the amount of data. 

Remote diagnosis describes a process for identifying the cause of a problem in a 
computer or a piece of computer controlled equipment and solving the problem from a 
remote location. With more equipment being computer controlled there are 
opportunities to diagnose problems, and service the equipment over the Internet 
without sending a service person. The problem Is that to diagnose a problem the 
remote user needs complete access to the equipment which presents several security 
dangers to the equipment and the private network. One danger is that the remote user 
must have unrestricted access to the equipment and will be difficult to block from the 
rest of the network. 
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The equipment vendor also has concerns tecause to diagnose problems typically 
requires a much greater level of detailed knowledge than is usually provided In a 
manual. Typically the vendor dc^ not want to disclose all the proprietary interna] detail 
of their equipment to their customer, so each vendor would prefer to keep their data 
away from the customers private network and keep competit0J3 from spying on the 
equipment while performing maintenance on their own equipment. 

The present Invention is particularly suited to providing ^curity when user is receiving a 
large amount of unencrypted data such as a movie being downloaded. The present 
Invention ^Iso provides security when remote users are reading the data inside 
computer controlled equipment to diagnose problems. 
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Summary of the Invention 

The Invention provides for remote access by remote users on a public network such as 
the Internet to a private network (or Host network) node without compromising the 
Host network security. Remote access is provided by a second network (or Access 
network) separate from the Host network but under the control of the Host network. 
Nodes that are required to support remote access are connected to both the Host and 
Access network by an electrical switch controlled by the Host network. Typically the 
Host and Access networks have their own connections to the public network and each 
node has two identification codes or IP addresses. There are two physically separate 
paths for packets of data to reach a node from a public network. 

The invention provides security for ttie Host network connected to a public network 
such as the Internet using a electrical switch and a firewall associated with each node. 
The electrical switch is an EITHER - OR switch controlled by the Host network, which 
ensures that any node being accessed from outside Is disconnected from the Internal 
network by a physical hardware switch. The advantage of a hardware switch or 
electrical switch as compared to a conventional packet switch in a typical router is that 
the electrical switch cannot be disabled or bypassed by an external piece of software. 

Firewalls at each node are distributed throughout the private networks allowing content 
checking and encryption of information unique to individual nodes. By having the 
firewalls distributed at each node, the Information can be checked against the limited 
instruction set unique to that node, so the firewall provides a positive check for 
acceptable content. 
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The two private networks pass messages over two different media where the different 
media are two separate cables, two separate groups of wires in a single cable, one 
wired media and one wireless media, or two different protocols running in a common 
wire. The use of two media ensures that one set of messages on the access network 
cannot be sent over the private network either by a mistake or by an unauthorized 
intruder. 

The switch box can be implemented in several ways such as part of a hub in a star 
topology network, or using external switch bo)ffis tiiat connect the ncxie to the 
networks, or with the switch box built into the node. 
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Brief Description of the Drawings 



Ttie accompanying drawings, which as incorporated in and constitute part of this 
specification, illustrate embodiments of the invention and, together with the description, 
serve to explain the advantages and principles of the invention. In the drawings, 
Figure 1 is a block diagram of the dual network 
Figure 2a is a block diagram of a hub network with a separate switch 
Figure 2b is a block diagram of a hub network with a switch built into a node 
Figure 2c is a block diagram of a hub network with a switch built into hub 
Figure 3 is a block diagram of an dual network switch 
Figure 4 is a block diagram of a hub network with a multiple protocol switch 
Figure 5 is a method for remote access 
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DETAILED DESCRIPTION 



The preferred embodiment of the network architecture is shown in Figure 1, consisting 
of two private networl<s 101 and 111 connecting a node 123 to both private networks 
through a switch box 120 . Each network is connected to a public network 121 such as 
the Internet through routers 102 and 112. For the purpose of illustration, the network 
101 Is designated as the "Host Network", and it is assumed that the Host Network is 
used for inter computer communications, printing and all the normal traffic associated 
with a network within a company or a home. 

Again for the purpose of illustration, the private network 111 is designated as the 
"Access Network", and it is assumaJ that the Access Network is used for the high 
bandwidth input and output that is associated with entertainment or remote diagnosis. 
It will be obvious to someone skilled in the art, that the single networks 101 and 111 
may be multiple networks connected by hubs and routers distributed anywhere in the 
worid or in space and that there can Jae multipJe switches and nodes connected to the 
networks. 

The switch box 120 has a connection 103 for the Host Network 101 to pass data, a 
connection 114 for the Access Network 111 to pass data, and a connection 104 to the 
electrical switch 120 inside the switch box. Computer 105 uses the connection 104 to 
control which network (either 101 or 111) Is connected to the node 123- A computer 
117 on the Access Network is used to log all activity on the Access Network. 

The preferred embodiment for the connection of the node with a separate switch box is 
shown in Figure 2a. One node 222a is connected to a switch box 221a which Is 
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connectBd to a hub 202 by media 201a, and a second node 222b is connected to 
switch box 221b which is connected to the hub 202 by media 201b. The hub allows 
multiple nod^ such as computers and computer controlled equipment to form a 
network connection and communicate. Ttie hub 202 is connected to the public network 
220 by a rputer 203. A second hub 212 provides a second connection 211a and 211b to 
the nodes. The second hub 212 has a second connection the public network 220 though 
a router 213. 

Figure 3 shows the detailed design of the preferred embodiment of the switch box 300 
connecting the Host Network 301 and the Access INIetwork 311 to the node 328 that has 
a network connection 324 that Is typically an Ethernet connection. The switch box 300 
has 4 network a>nnections. The first is a network connection 334 to the node. The 
second is a network connection 312 for data transfer with the Access Network. The 
third is a network connection 302 for data transfer with the Host Network. The fourth 
isa network connection 303 for the control of the switch box 300 through the Host 
Network. 

The switch 320 determines whether the data packets pass back and forth from Host 
Network connection 302 or the Access Network connection 312 to the node network 
connection 334. The switch 320 is controlled by the switch enable line 308 from the 
Host Network connection 303 that sets the switch enable line 308 to a high or low 
value. 

When the Access Network Is connected, data packets pass back and forth from the 
Access Network connection 312 to the node network connectton 334 via the firewall 
314, the switch 320, and the I/O manager 323. The firewall 314 Implements functions 
such as decryption and encryption, user authentication, content checks and virus 
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checks. The 1/0 Manager 323 coordinates data from multiple ports 325, 326 and 327 on 
the equipment and which enters the switch box though ports 335, 336 and 337. The 
additional ^uipment ports 325, 326 and 327 are debug ports that can be different 
networic connections, digital or analog I/O ports which give the service person access to 
the equipment that is not normally available to the customer. The ^0 manager also 
supplies information on the data being passed over the Access Network to the computer 
117 in Figure 1. The computer 117 is used to log all activity on the Access Network. 

The firewall 314 uses firewall data read from memory 315 over the read data lines 320. 
The firewall data read from memory 315 includes security keys that decode input and 
convert it to readable data using the security keys and take output and convert it to 
encoded output using the security keys. Additional firewall data are used in a checklist 
for acceptable content such as function names, number of arguments argument type, 
data format, and data. Addition firewall data includes the identification of the authorized 
remote user. 

When the Host Network is connected, data packets pass back and forth from the Host 
Network connection 302 to the node network connection 334 via the firewall manager 
310, the switch 320, and the I/O manager 323. The firewall manager 310 is responsible 
for receiving the firewall data sent to the switch box 300 from the Host Network, and 
writing the firewall data into memory 315 over lines 319. The write enable lines for the 
memory 317 are set by the AND block 316 that combines the write enable line from the 
firewall manager 310 and the switch enable line 308 which ensures that firewall memory 
cannot be written while the Access Network is connected. The location of the firewall 
manager between the switch 320 and the Host Network ensures that the firewall data 
can only be received from the Host Network. 
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In the preferred implementation, tlie blocl<s in the switch Idox 300 are implemented as 
combinations jQf integrated circuit chips. 

In the preferred implementation, the two networks 101 and 102, are physically 
connected Jthnough a single R345 5 pJn ronnector which is the standard Ethernet 
connector in which only 2 of the 5 lines are used. The advantage of using a single 
connector \s that thene Js jto chance that the >^QSt jietwork is plugged into the Access 
network port. 

There are alternate implementations of the network layout, switch box, network 
connectors^ and network media that are disckised Jaebw. 

An alternative network layout Is shown in Figure 2b In whteh the switch boxes 231a and 
231b are built into the nodes 232a and 232b whch Jias the advantage to the vendor of 
the node of selling an integrated sdutton. 

Another aljbematlve jietwork layout is shown in J=igijne 2c in whk:h the switch Jaox 241a 
and 241b Is built into a hub assembly 244 whfch has the advantage that the solution 
can be Implemented by simply repladng a hub with jto Jiew mnnedttonsijeing made x>ut 
to the node. The node 242a and 242b has single eonnecttons to the switeh bme^ZAla 
and 241b. Thene is a connectton matrix 246 that connects the switch i)Dxes to the iiubs 
243 and 253. 

An alternative embodiment of the physical connectton of the network to the switch box 
is to use a jdlffenent connedtor and cable style fbj the two networks such as 1^45 for 
one network and Coax plug for the other network, or have one of the two networks be 
wireless, or having one network connected through a phone line and the other network 
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through a cable television connection, or have two nominally identical connectors with 
mechanical keys to ensure they are plugged in correctly. The physical connections of the 
two networks are made mechanically distinct to eliminate the chance of incorrect 
connections. 

An alternative embodiment of the switch box and equipment includes a separate status 
port on the node xx)nnected to the Jietwork connectton 303 in figure 3 that aUows the 
status of the equipment to be read at all time by computers on the Host Network. 
Another e^nbodiment xrf the switch Jdox includes a iirfiwali on the Host nebArarJc side of 
the switch box. 

Alternative embodiments of the firewall can eliminate parts of the content checking and 
virus checking iuncttons, orjcan expand Ihese functkwis. 

An alternative implementation of network are h i t o cturc use s d i ffe reBl^ne two rk proto c ols 
to keep thp >lost and Access networks physkally separated as shown in figure 4. There 
are two routers 403 and 413. The protocol for eac+t router uses the safflei)hysi€al-i^yer 
land da^a layer 2 J3ut use different network Jayer 3 or iiigher to pass packets. These 
layers are part of the QSI reference-model^for nefework^communfeattons. Therotfters 
403 and 4J3 are ronnected to the Jutb 402atong with the switch tmxes 421a and 421b 
built into the nodes 422a and 422b. TTie switcb boxes built into the equipment have 
network cpnnecttons that jead and mite one protocol and ignore the other protocol As 
a result the data packets on the Host and Access Networks are kept separate as^f tjiey 
were passing xtown separate wires. A jiebworicanchitecture with 2 protocols is relatively 
to install. The addition of a router 413 with a different protocol can provide secure 
remote access to any node on the Host network that iias a switch box. . 



13- 



There are alternate implementations of the switch 320 for applications that include 
nodes that have limited Input or outputeapaMityi Examples-of nodes-that have Hnriited 
Input or output jcapability include displays, printers and cameras. When the Jiodes lias 
limited input or output capability^ the switGh-eafrtar^the accessnietwoFlt op the host 
network on and off Independe n tly. 

In another Implementation, the switch-b^SOO- can- be replaced- with-a single netvvork 
Interface that can be reconi5gured to accepts xlifferent protocol In another 
implementation the switch box 300 can be a packet switch. 

Alternative impleraentattons of the blocks Jn Ihe switch ijox use one x)r mojie custom 
Integrated circuits or use a general purpose processor and software. 

In the preferred embodiment, remote jdiagnosis is accomplislied with the steps shown in 
Figure 5. The first step 501 comprises problem identification by a user or by the node. 
The next step 502 comprises notification to the network server that there is a problem 
with a node. 

After evaluation by system administrator, diagnosis 503 is scheduled with the rei^ote 
user who jwill conduct the diagnosis. In an emergency^ scheduling may be automatic 
and immediate. Next 504 the network server sends seGurity^informatioasuch_as-sec|jrity 
keys over the Host and Public I^etworks to the remote user. Then 505, if the node IP 
address is fixed, the network server supplies 506 node identification including the IP 
address tp the remote user. Then 506 the network suppiies security inforniatlon such as 
security keys, content check, user identification and virus check data to the firewall 
memory 315 in Figure 3. 
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At the scheduled time diagnosis starts 507. The network server switehesSOathe pode 
to the Access Network. If Jthe node IP address is dynamically assigned 509 then the 
node supplies 510 IP address to the vendor over the Access and Public Networks, The 
remote user makes contact with the node and runs 511 the diagnostic session. The 
firewall checks 512 that users identifteation is authorized by checking the list in the 
firewall memory. During the diagnosis 513 and 514, data packets fjiom the vendor are 
decrypted, content checked and viruscheekedi Data^ packet informatiofrissent SlSby 
the 10 manager in the-switch box to the Access Network Jog coinputen The remote user 
notifies 516. the network server that ttie session hasendedover the Host and Public 
Networks or through the status port on the equipment Finally the networJc server 
switches 517 the node to the Host NebMprk. 

In alternative irapiementattons, the switch iDox is used to support the supply of 
entertainment to a TV on the Host iyietwork.TheTV system consiste-of three nodes, a 
display and a controJJer and optionally a video recorder, each with its own network 
connection. The display and video recorder have-a swltcb box so they can be connected 
to the Acc^ network. The OMitroller acts as the networJc^server 105 that schedules tiie 
switching of the display and recorder, or communicates with a separate network server. 
The user interacts with the controller to jelectj movieDver the JHosLand J^uIjUc 
Network. The movie is sent to-the displ ay or video recorder ove >^th# Access Netw prk. 
The switch box can also include a Internet browser for displaying downloaded Internet 
data without storing the downloaded data or any hidden viruses. 

In another implementation^ the display has multiple inputs including 2 network 
connections and the different inputs appears as different windows in the display. The 
display is configured as a input only device and cannot be used to access the rest of the 
Host network so the display does not need a switch box. 
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In another implementation, the switch box js used to support remote access to video 
cameras used for surveillance. The camera has mu l tiple ou t pu ts includmg-2-pefaA/ork 
connections The camera is essentially an input only device and cannot be used to 
access the rest of the Host networi^so th e ca me ra doe s n ot need a switch box. 
When the camera or the network server identifies a problem the event is recorded on a 
video recorder that does have a switch box as it can both^inputand-output video. A 
message and a copy of the vjdeo is sent by email or telephone to a remote user 
r^ponsiblefbr security. The remotaiiser connectsjviathe Public and Host networks^ and 
connects with the cameras over the Access network. The remote user live video to 
determine the appropriate actton while the video is also being recorded over the Host 
network. 

The foregoing description of an implementation of the invention has been presented for 
the purposes of illustration and description. It is not exhaustive and does not limit the 
invention to^the preelse-feFm-disel€(sed . 
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